RT-AX86U - Block all but a specific site from a device?

[andsoitgoes]

Hi everyone,

I don't have Merlin installed on my 86U, but I would like to block all internet traffic (sans 1 server) from a few specific devices in my home network that I want to fully secure.

I know this isn't an easy request, but I'm hoping there's a way to do this. If not possible on the stock firmware, I am comfortable installing Merlin if need be.

I don't know if setting up a proxy server (I do have a raspberry pi) would be a better idea? I would love something easy, but I'm SOMEWHAT capable technically and just really want to limit external access as these are security devices I don't want to be able to be accessed outside of my home.

Thanks in advance!

 

[bennor]

If you want to block all internet access to specific network clients then one can either use the Parental Controls > Time Scheduling and select Enable Time Scheduling then select Block and add each client you want to block. Not sure if the stock Asus firmware has the following option, but on Asus-Merlin one can block a client internet's access by selecting Network Map the select the circle icon above Clients, then select the Client's icon from the column on the right, then select Block Internet Access then click Apply.

Time Scheduling:

Network Map, Client, Block Internet Access:

 

[drinkingbird]

Hi everyone,

I don't have Merlin installed on my 86U, but I would like to block all internet traffic (sans 1 server) from a few specific devices in my home network that I want to fully secure.

I know this isn't an easy request, but I'm hoping there's a way to do this. If not possible on the stock firmware, I am comfortable installing Merlin if need be.

I don't know if setting up a proxy server (I do have a raspberry pi) would be a better idea? I would love something easy, but I'm SOMEWHAT capable technically and just really want to limit external access as these are security devices I don't want to be able to be accessed outside of my home.

Thanks in advance!

Even with Merlin there isn't a way to do that unless you want it to cover all devices (short of doing scripting etc). The only way I can think (in both stock and Merlin) is on firewall-> network services filter, set it to "allow list" then put the client and the destination IP rules first, then a couple rules (one TCP and one UDP) at the end for all clients to permit everything (the first rule takes precedence so the permit any won't apply to that one source IP). For the site you want to allow though for that one client, if it has more than 1 IP address, you'll need to create rules for all of them (and some sites you don't know, it returns various IPs to various DNS lookups).

So it would be like
source 192.168.1.100 to destination 8.8.8.8 protocol TCP (assuming it does not need UDP). You can specify the destination port but not required if you don't need to filter that
possibly more similar rules with different destination IPs
source 192.168.1.0/24 protocol TCP
source 192.168.1.0/24 protocol UDP

I'm not sure if this will block ICMP, I think if you leave that field at the top blank that will make it through, but not positive.